/*
 * Copyright (c) 2025 Beijing University Of Posts and Telecommunications.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

import "console"

rule TestCaseRule_CVE_2025_21817
{
    meta:
        date             = "2025-11-28"
        openharmony_sa   = ""
        cve              = "CVE-2025-21817"
        severity         = "medium"
        component        = "kernel_linux_5.10"
        affected_version = "OpenHarmony-v5.0.3-Release"
        fix_commit       = "b36c9fbe92dcdaec48fefc27ac9a076704a6ec21"

    strings:
        // 修复前的易受攻击模式（nf_hook_slow 越界读典型特征）
        $vuln_pattern = { 48 8B 4? ?? 48 8D 41 FF 48 39 0A 0F 87 }
        
        // 修复后的安全模式（增加了边界检查或直接删除了危险代码）
        $fixed_pattern = { 48 8B 4? ?? 48 83 C1 FF 48 39 0A 0F 82 }

    condition:
        $vuln_pattern and not $fixed_pattern and 
        console.log("CVE-2025-21817 testcase pass")
}